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Information  System  Audits 

Information  System  (IS)  audits  conducted  by  the  Legislative  Audit 
Division  are  designed  to  assess  controls  in  an  IS  environment.  IS 
controls  provide  assurance  over  the  accuracy,  reliability,  and  integrity 
of  the  information  processed.  From  the  audit  work,  a  determination 
is  made  as  to  whether  controls  exist  and  are  operating  as  designed. 
In  performing  the  audit  work,  the  audit  staff  uses  audit  standards  set 
forth  by  the  United  States  Government  Accountability  Office. 

Members  of  the  IS  audit  staff  hold  degrees  in  disciplines  appropriate 
to  the  audit  process.  Areas  of  expertise  include  business,  accounting 
and  computer  science. 

IS  audits  are  performed  as  stand-alone  audits  of  IS  controls  or  in 
conjunction  with  financial-compliance  and/or  performance  audits 
conducted  by  the  office.  These  audits  are  done  under  the  oversight  of 
the  Legislative  Audit  Committee  which  is  a  bicameral  and  bipartisan 
standing  committee  of  the  Montana  Legislature.  The  committee 
consists  of  six  members  of  the  Senate  and  six  members  of  the  House 
of  Representatives. 


Direct  comments  or  inquiries  to: 

Legislative  Audit  Division 

Room  160,  State  Capitol 

PO  Box  201705 

Helena  MT  59620-1705 

(406)  444-3122 

Reports  can  be  found  in  electronic  format  at: 
http://leg.mt.gov/audit.htm 
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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

We  conducted  an  Information  Systems  audit  of  the  Unemployment  Insurance  Tax  System 
(UIT).  The  Department  of  Labor  and  Industry  (DLI)  operates  and  maintains  the  UIT  System 
to  assist  in  the  administration  of  Montana  employer's  unemployment  insurance  tax  records 
and  premiums.  The  focus  of  the  audit  was  to  ensure  the  UI  Section  has  controls  in  place  to: 

♦  identify  and  assign  appropriate  system  access. 

♦  calculate  and  enter  yearly  ratio  changes. 

♦  ensure  data  is  sent  and  received  appropriately. 

♦  ensure  a  process  is  in  place  to  request,  test,  and  accept  system  modifications. 

We  wish  to  express  our  appreciation  to  DLI  for  their  cooperation  and  assistance. 


Respectfully  submitted. 


Scott  A.  Seacat 
Legislative  Auditor 


Room  160  •  State  Capitol  Building  •  PO  Box  201705  •  Helena.  MT  •  59620-1705 
Phone  (406)  444-3122  •  FAX  (406)  444-9784  •  E-Mail  lad(§mt.gov 
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Report  Summary 


Department  of  Labor  and  Industry 


Since  unemployment  insurance  taxes  are  the  primary  source  of  benefits  paid  out  to 
Montana's  unemployed  and  due  to  the  reliance  the  division  has  on  the  UIT  System,  we 
conducted  an  audit  of  the  System,  policies  and  procedures  in  place  regarding  access  to  the 
system,  and  enhancements  made  to  the  system. 

Unemployment  Insurance  is  a  federal  and  state  funded  insurance  program  designed  to 
provide  temporary  benefits  to  eligible  individuals.  The  division  maintains  and  operates 
the  UIT  System  to  assist  in  the  administration  of  Montana  employer's  unemployment 
insurance  tax  records  and  premiums. 

Audit  Objectives,  Scope  and  Methodology 

This  audit  focused  on  the  UIT  System's  operations  including  tax  calculations  and 
interactions  with  other  systems,  as  well  as  the  Unemployment  Insurance  Division's  process 
for  granting  access  to  system  components  and  creating  modifications  to  the  system. 
Based  on  the  importance  of  the  UIT  System  to  the  management  of  employer  accounts,  we 
addressed  the  following  objectives: 

♦  Verify  the  UIT  System  is  accurately  and  completely  calculating  unemployment 
insurance  tax  rates  for  Montana's  businesses. 

♦  Verify  transfer  of  information  between  systems  is  complete. 

♦  Verify  system  changes  go  through  controlled  change  management  procedures. 

♦  Verify  controls  are  in  place  to  limit  access  to  the  UIT  System. 

This  audit  was  conducted  in  accordance  with  Government  Auditing  Standards  published  by 
the  Government  Accountability  Office.  In  addition,  we  evaluated  the  control  environment 
using  generally  applicable  and  accepted  information  technology  standards  established  by 
the  IT  Governance  Institute. 

Conclusion 

Based  on  tests  performed,  interviews  and  observations  with  programmers,  users  and 
management;  the  audit  objectives  have  been  achieved  with  the  exception  of  system  access. 
See  attached  audit  report  for  opportunities  for  improvements  in  access  control  to  ensure 
compliance. 
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Chapter  I  —  Introduction  and  Background 

Introduction 

Unemployment  Insurance  (UI)  is  a  federal  and  state  funded  insurance  program  designed 
to  provide  temporary  benefits  to  eligible  individuals.  Administrative  costs  of  UI  are 
funded  through  a  federal  payroll  tax  paid  by  employers.  The  actual  administration  of  UI  is 
the  responsibility  of  the  Unemployment  Insurance  Division  (division)  within  the  Montana 
Department  of  Labor  and  Industry  (DLI).  Benefits  to  unemployed  workers  are  paid  by  UI 
taxes  from  Montana  employers.  The  program  was  designed  to  not  only  lessen  the  burden  of 
unemployment  on  the  worker  and  the  worker's  family,  but  also  to  help  local  communities 
maintain  a  stable  workforce  and  economy  by  allowing  the  workforce  to  remain  in  the 
community  during  times  of  temporary  unemployment. 

During  fiscal  year  2007,  $82,983,728  was  collected  in  UI  tax  from  37,115  Montana 
employers.  The  division  received  55,047  claims  resulting  in  28,151  claimants  receiving 
benefits  totaling  $76,510,835.  More  taxes  were  collected  than  benefits  paid  out  resulting 
in  an  increase  to  the  UI  Trust  Fund  bringing  the  balance  to  $259,232,654.  During  this 
time,  Montana's  workforce  included  506,385  people  of  which  493,889  were  employed. 
Montana's  unemployment  rate  as  of  June  30,  2007  was  2.4  percent. 

The  division  maintains  and  operates  the  Unemployment  Insurance  Tax  (UIT)  System  to 
assist  in  the  administration  of  Montana  employer's  unemployment  insurance  tax  records 
and  premiums.  The  UIT  system  was  first  created  in  1991  under  the  name  Montana 
Automated  Contribution  (MAC)  System  and  was  subsequently  operated  by  the  division 
until  the  processing  of  UI  was  moved  over  to  the  Department  of  Revenue  and  integrated 
into  the  Process  Oriented  Integrated  System  (POINTS)  in  1999.  In  2003  the  MAC  System 
was  modified  to  account  for  federal  and  state  law  changes  and  automation  environment 
changes  that  had  occurred  since  1999.  In  2004  processing  of  UI  data  was  transferred  back 
to  the  Department  of  Labor  and  Industry.  At  this  time  the  project  was  referred  to  by  several 
different  names  including  Phoenix,  New  MAC,  and  finally  UIT. 

Since  unemployment  insurance  taxes  are  the  primary  source  of  benefits  paid  out  to 
Montana's  unemployed  and  due  to  the  reliance  the  division  has  on  the  UIT  System,  we 
conducted  an  audit  of  the  System,  policies  and  procedures  in  place  regarding  access  to  the 
system,  and  enhancements  made  to  the  system. 

Audit  Objectives 

This  audit  focused  on  the  UIT  System's  operations  including  tax  calculations  and 
interactions  with  other  systems,  as  well  as  the  Unemployment  Insurance  Division's 
processes  for  granting  access  to  system  components  and  creating  modifications  to  the 
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system.  Based  on  the  importance  of  the  UIT  System  to  the  management  of  employer 
accounts,  we  addressed  the  following  objectives: 

♦  Verify  the  UIT  System  is  accurately  and  completely  calculating  unemployment 
insurance  tax  rates  for  Montana's  businesses. 

♦  Verify  transfer  of  information  between  systems  is  complete. 

♦  Verify  system  changes  go  through  controlled  change  management  procedures. 

♦  Verify  controls  are  in  place  to  limit  access  to  the  UIT  System. 


Audit  Scope  and  Methodology 


Testing  of  the  UIT  System  functionality  and  controls  was  conducted  through  a  combination 
of  staff  interviews,  observation  of  the  UIT  processes,  and  the  analysis  of  the  UIT  System 
data. 

The  division  relies  on  the  UIT  System  to  calculate  employer's  unemployment  insurance  tax 
due  and  to  provide  and  receive  information  both  to  and  from  other  information  systems. 

Section  39-51-1218,  MCA,  defines  the  rate  schedule  used  to  determine  the  amount  of 
unemployment  insurance  tax  an  employer  is  required  to  pay.  The  rate  schedule  includes  a 
minimum  ratio  for  each  tax  schedule,  representing  the  minimum  fund  level  required  and 
adjusted  each  year  to  account  for  unemployment  trends. 

Our  audit  work  addressed  the  annual  process  for  updating  the  ratios  in  the  UIT  System  for 
each  of  the  tax  schedules.  This  process  includes  both  manual  and  system  related  procedures. 
The  system  generates  a  report  providing  information  which  is  manually  entered  into  a 
spreadsheet.  Using  the  statutory  guidelines,  the  spreadsheet  calculates  the  ratios  that  will 
be  used  for  the  next  year.  The  ratios  are  then  manually  entered  into  the  UIT  System.  We 
reviewed  the  system  generated  report  to  determine  if  the  report  extracts  information  from 
the  correct  table  and  table  fields.  We  also  addressed  whether  the  data  represents  what 
is  in  the  system  and  is  not  altered  in  the  report.  We  compared  ratios  calculated  in  the 
spreadsheet  to  the  ratios  in  the  system.  We  were  able  to  determine  the  ratios  in  the  system 
matched  those  calculated  in  the  spreadsheet. 

The  UIT  System  shares  information  with  other  systems  both  inside  and  outside  the 
department  by  sending  and  receiving  computer  files.  The  process  of  sending  and  receiving 
files  occurs  during  automated  nightly  job  processing  and  is  monitored  by  the  Department  of 
Administration  (DOA)  Information  Technology  Services  Division  (ITSD).  ITSD  monitors 
the  log  files  created  during  the  job  processing  and  notifies  Unemployment  Insurance 
Division  staff  when  the  log  file  contains  an  error.  Our  audit  work  addressed  the  process  of 
preparing  data  to  be  sent  to  other  systems  as  well  as  data  received  from  other  systems,  to: 


♦  ensure  edit  checks  are  in  place  to  ensure  only  properly  formatted  data  is  loaded 
into  the  UIT  System. 

♦  ensure  data  is  completely  loaded  in  the  UIT  System. 

♦  ensure  data  sent  to  other  systems  is  complete. 

We  reviewed  the  log  files  from  the  nightly  job  processing  to  identify  formatting  errors, 
as  well  as  error  messages  when  a  job  could  not  be  loaded  in  the  UIT  System.  We  also 
identified  error  messages  when  a  file  could  not  be  completed  or  transfer  could  not  be  done. 
Our  review  of  log  files  also  found  every  process  without  error  indicated  it  was  completed 
without  error.  During  subsequent  reviews  of  log  files  showing  a  job  could  not  be  completed, 
we  found  the  jobs  containing  errors  were  fixed  and  processing  was  able  to  be  completed. 
We  were  able  to  conclude,  due  to  the  review  of  log  files  and  finding  error  messages  and 
completion  notices,  edit  checks  are  in  place  to  ensure  data  is  properly  formatted  and  data 
is  completely  loaded  in  the  UIT  System  and  sent  to  other  systems. 

We  reviewed  the  agency's  UIT  System  change  management  procedures.  The  change 
management  procedures  are  documented  in  the  division's  Information  Technology 
Security  Plan  (ITSP).  The  ITS?  includes  the  following  sections: 

♦  Submission,  Authorization,  and  Assignment 

♦  Version  Control 

♦  Development 

♦  Testing 

♦  Deployment  and  User  Notification 

For  each  of  these  sections,  the  ITSP  includes  the  purpose,  responsible  parties,  time 
considerations,  process  descriptions  (including  documentation  requirements),  process 
results,  and  reference  controls  and  procedures  for  both  pre  and  post  conditions. 

While  observing  the  division's  change  control  process,  we  could  follow  the  process  from 
start  to  finish  and  see  all  the  changes  to  the  code  as  required  by  the  request.  For  each 
modification  we  found  all  the  documentation  required  in  the  ITSP  and  verified  versions 
in  the  program  code.  Due  to  our  review  and  observations,  we  are  able  to  conclude  the 
division  has  documented  change  management  procedures  and  the  procedures  are  followed 
as  outlined  in  the  ITSP. 

Our  audit  work  included  a  review  of  the  division's  process  for  managing  user  accounts 
including  the  access  privileges  assigned.  This  process  is  addressed  in  the  following 
chapter. 
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This  audit  was  conducted  in  accordance  with  Government  Auditing  Standards  published  by 
the  Government  Accountability  Office.  In  addition,  we  evaluated  the  control  environment 
using  generally  applicable  and  accepted  information  technology  standards  established  by 
the  IT  Governance  Institute. 


Chapter  II  —  System  Access 

System  Access 

Access  to  the  UIT  System  is  important  to  meet  the  business  needs  of  not  only  the  division 
and  DLI,  but  also  other  state  departments  including  the  Department  of  Public  Health  and 
Human  Services  and  the  Department  of  Commerce.  The  UIT  System  operates  through 
interaction  with  441  users  who  are  state  employees  and  contractors  with  a  business  need 
to  access  the  system.  Access  to  the  UIT  System  should  be  granted  based  on  the  principle 
of  least  privilege  (also  referred  to  as  the  principle  of  least  authority).  This  principle  limhs 
a  user's  access  to  information  and  resources  to  only  those  necessary  according  to  the 
user's  job  responsibilities.  To  gain  access  to  the  UIT  System,  division  security  staff 
assign  a  unique  login  ID  to  each  user.  Based  on  a  user's  job  responsibilities  each  user  is 
assigned  either  read  only  access  or  update  access  (giving  them  the  ability  to  change  or 
update  information)  to  screens  within  the  UIT  application.  The  division  is  also  responsible 
for  limiting  those  with  access  to  the  internal  components  of  the  UIT  System,  including 
programming  code.  To  ensure  access  is  limited  to  appropriate  levels,  we  conducted  testing 
on  access  controls  and  found  the  following  concerns: 

♦  One  contractor  had  update  access  not  based  on  their  current  job  responsibilities 

♦  Program  code  is  accessible  to  terminated  programmers 

♦  Screen  access  used  to  manually  adjust  contribution  amounts  is  accessible 

♦  The  ability  to  stop  billing  for  overdue  payments  within  the  UIT  system  is 
accessible  to  the  user  assigned  to  review  its  use 

Industry  standards  require  a  review  of  all  accounts  and  related  privileges  to  be  performed 
regularly  as  part  of  the  management  of  user's  accounts. 

Contractor  Access 

DLI  policy  states  that  when  an  individual  requires  access  to  the  UIT  System,  they  must 
complete  a  system  access  form.  The  system  access  form  must  define  why  the  user  requires 
access,  and  be  signed  by  the  individual's  supervisor.  Security  staff  subsequently  assess  the 
need  and  level  of  access  and  grants  the  access  to  the  system. 

Update  access  allows  a  user  to  change  data.  We  compared  all  users  with  update  access  in 
the  UIT  System  with  their  system  access  form  on  file  to  ensure  the  level  of  access  granted 
met  their  needs  based  on  their  job  duties.  Our  review  identified  one  active  contractor  with 
update  access  to  a  screen  providing  the  ability  to  change  contact  information  of  employers 
in  the  system.  This  access  is  not  necessary  to  perform  their  current  job  responsibilities. 
This  ability  could  affect  the  employer  and  the  state  when  correspondence  cannot  effectively 
take  place.  Security  staff  indicated  this  contractor  no  longer  needs  this  level  of  access  and 
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it  should  have  been  changed.  Since  being  notified  of  its  existence,  the  access  has  been 
limited  to  read  only. 

Program  Code  Access 

The  production  environment  is  where  the  current  system  in  operation  is  stored.  Included 
in  the  environment  is  UIT  System  programming  source  code  and  database  tables.  Access 
to  source  code  should  be  limited  to  current  employees  whose  job  duties  require  the  ability 
to  work  with  these  components.  Otherwise,  the  potential  exists  for  unauthorized  insertions 
or  deletions  to  code  or  database  tables,  thus  changing  the  functionality  of  the  system  and 
increasing  the  threat  of  manipulation,  loss,  and  theft  of  sensitive  data. 

We  reviewed  the  list  of  users  with  access  to  the  UIT  System's  source  code  in  the  production 
environment  and  identified  eight  users  with  access.  Our  review  found  six  of  the  users  were 
current  employees  with  an  identified  need  for  their  access.  We  also  identified  one  user 
as  a  terminated  employee  and  one  user  account  entered  in  error  and  not  belonging  to  a 
specific  employee.  Subsequent  review  determined  no  changes  to  the  production  code  were 
made  using  the  unaccounted  for  account  or  by  the  terminated  account  after  the  user  left 
employment.  When  asked  about  the  review  of  access  at  this  level,  security  staff  noted  that 
their  access  review  does  not  include  a  review  of  users  with  access  to  system  code. 

Reconciliation  Screen 

When  unemployment  insurance  data  was  transferred  from  POINTS  to  the  UIT  System, 
the  Unemployment  Insurance  Division  was  not  sure  how  the  data  would  transfer  and  how 
the  system's  calculations  would  handle  the  transferred  data.  Because  of  these  concerns,  the 
division  implemented  a  component  (Reconciliation  Screen)  allowing  a  user  to  manually 
change  an  employer's  required  unemployment  insurance  tax  contribution  amount  to 
reconcile  in  the  event  the  amount  was  transferred  and  calculated  improperly.  Three  years 
later,  we  determined  this  component  is  still  active  and  not  being  monitored.  As  a  result, 
users  still  have  the  ability  to  manually  reduce  or  increase  an  employer's  contribution 
amount. 

We  notified  management  this  component  is  still  active.  Management  stated  the  component 
is  not  used  and  has  never  been  used  and  did  not  know  why  the  component  is  still  active. 
Audit  work  determined  the  component  was  still  accessible  and  six  users  currently  have 
update  access.  A  report  was  created  to  identify  any  changes  made  using  the  Reconciliation 
Screen.  Using  this  report  we  were  able  to  verify  that  no  employer  tax  amount  currently 
in  the  system  had  been  changed  using  this  screen.  Industry  standards  require  software 
go  through  a  periodic  review  against  business  needs,  and  when  business  needs  no  longer 
require  the  use  of  software  components,  those  components  should  be  removed. 


Stop  Billing 

The  stop  billing  indicator  is  used  to  stop  the  system  from  generating  overdue  bills. 
Using  the  stop  billing  indicator  works  two-fold;  first,  it  stops  overdue  bills  from  being 
mailed  unnecessarily,  and  second,  the  system  automatically  creates  a  tickler  to  remind 
the  user  who  entered  the  stop  billing  in  90  days  to  revisit  the  reason  for  the  stop  billing 
indicator.  The  stop  billing  indicator  is  a  control  the  division  uses  to  help  mitigate  time  and 
communication  requirements  within  section  39-51-1303,  MCA.  For  this  reason,  the  stop 
billing  process  is  an  important  risk  to  consider  as  part  of  the  division's  business  process. 
The  division  has  found  it  necessary  to  monitor  the  use  of  the  stop  billing  indicator  and  has 
assigned  the  monitoring  of  its  use  to  one  employee.  However,  the  one  employee  also  has 
the  ability  to  enter  a  stop  billing  indicator  as  part  of  their  job.  The  employee  who  monitors 
the  stop  billing  process  should  not  be  able  to  enter  a  stop  billing  indicator.  Having  both 
capabilities  allows  the  control  to  be  circumvented. 

Summary 

Industry  standards  require  requesting,  establishing  and  issuing  access;  as  well  as 
modifying,  closing  and  reviewing  access  be  addressed  as  part  of  user  account  management. 
Our  review  found: 

♦  One  contractor  with  update  access  after  the  level  of  access  was  no  longer 
required. 

♦  Two  users  with  access  to  system  code  that  should  have  been  removed. 

♦  Six  users  with  access  to  a  system  components  no  longer  used  or  monitored. 

♦  One  employee  assigned  incompatible  duties  creating  and  monitoring  the  stop 
billing  indicators. 


Recommendation  #1 

We  recommend  the  department: 

A.  Develop  review  procedures  to  identify  and  remove  inappropriate  access 
to  ttie  Unemployment  Insurance  Tax  System. 

B.  Remove  the  reconciliation  component  of  the  Unemployment  Insurance 
Tax  System. 


Department  of  Labor 
AND  Industry 


Department  Response 


State  of  Montana 

Department  of  Labor  &  Industry 

Brian  Schweitzer,  Governor 


UNEMPLOYMENT  INSURANCE  DIVISION 
Roy  Mulvaney,  Administrator 
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November  15,2007 


RECEIVED 

NOV  1  5  2007 
LEGISLATIVE  AUDIT  DIV. 


Scott  Seacat 
Legislative  Auditor 
PO  Box  201705 
Helena,  MT  59620-1705 

Dear  Mr.  Seacat: 


Enclosed  please  find  the  Department  of  Labor  and  Industry's  written  response  to  the  final  report 
on  the  audit  of  the  Unemployment  Insurance  Tax  System. 

Sincerely, 


'/tdu) 


oy  Mi^aney,  Aaministrator  i/ 
Unemployment  Insurance  Division 
Department  of  Labor  and  Industry 

cc:  Keith  Kelly,  Commissioner 

Enc. 


Phone  (406)  444-3834 


FAX  (406)  444-0629 


P.O.  Box  6339 


TDD  (406)  444-0532 


"Quality  Service  by  Caring,  Dedicated  People" 


Helena,  MT  59604-6339 
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Information  Systems  Audit 

Unemployment  Insurance  Tax  System 

Department  of  Labor  and  Industry 

November  15,2007 


Recommendation  #1: 

We  recommend  the  Department: 

A.  Develop  review  procedures  to  identify  and  remove  inappropriate  access  to  the 
Unemployment  Insurance  Tax  System. 

B.  Remove  the  reconciliation  component  of  the  Unemployment  Insurance  Tax  System. 

Concur.  The  department  will  develop  standardized  procedures  for  identifying  and 
removing  inappropriate  access  to  the  UIT  system  by  6/30/2008. 

The  department  concurs  with  removing  the  reconciliation  component  after  the  statute  of 
limitations  has  passed  for  reactivating  accounts  with  inactivation  dates  prior  to  2005.  We 
intend  to  remove  this  component  in  2010.  The  department  has  removed  update 
capabilities  for  those  employees  and  components  identified  in  the  audit. 


